Blaster
The Blaster worm, also known as Lovesan, created havoc in late summer of 2003 with widespread Distributed Denial of Service (DDoS) attacks, with damage totalling in the hundreds of millions. It is also notable for two hidden text strings, one that says "I just want to say LOVE YOU SAN!" and a message to Microsoft CEO Bill Gates. It appeared within less than a month before the Sobig worm. Behavior Blaster arrives on an internet-connected computer from an infested system through an exploit on an unpatched MS Windows computer. The computer receives instructions to execute the worm from the previously infested computer. When run, Blaster adds the value {"windows auto update"="msblast.exe"} to the registry key: {HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run}, which causes the worm to run when Windows starts. Blaster generates IP addresses usually based on those of the infested computer and attempts to infest these computers. 40% of the time, the first two parts of the generated IP address is the same as the computer that was just infested. If the third part of the IP address if the already infested computer is greater than 20, a random number will be subtracted in the generated address. The worm will then generate the fourth part of the IP address using the numbers 1 to 254 and send a copy of itself to all computers on the addresses it can find in that range. There is a 60% chance that the generated IP address will be completely random. The worm scans the local class C subnet, or other random subnets, on port 135 and attempts to enter the systems it discovers. It first checks to see if the targeted system has already been infested and that the worm is running. If not, exploit code is sent to those systems, instructing them to download and execute the file MSBLAST.EXE from a remote system via TFTP. The worm listens in on UDP port 69. When the worm receives a request from a computer to which it was able to connect using the DCOM RPC exploit, it will send MSBLAST.EXE to that computer and tell it to execute the worm. The Worm starts a SYN Flood on August 15 against port 80 of windowsupdate.com, thereby creating a distributed DDoS attack against the site after August 16. The worm uses Cmd.exe to create a hidden remote shell process that will listen on TCP port 4444, allowing an attacker to issue remote commands on an infected system. Blaster cannot spread to the Windows NT or Windows Server 2003, unpatched computers running these operating systems may crash as a result of the worm's attempts to exploit them. However, if the worm is manually placed and executed on a computer running these operating systems, it can run and spread. Known Damage The Blaster worm shut down CTX, the largest railroad system in the Eastern U.S., for hours, crippled the new Navy/Marine Corps intranet, shut down Air Canada's check-in system and has been implicated in the severety of the Northeast blackout. Maryland Motor Vehicle Administration authority shut its offices for the day because its systems were so severely affected by Blaster that it could no longer continue as normal. Other organisations reportedly suffering network slowdowns or worse because of the worm include German car manufacturer BMW, Swedish telco TeliaSonera, the Federal Reserve Bank of Atlanta and Philadelphia's City Hall. Damage totalled to $320 million. Microsoft believes that between 8 to 16 million computers were infected with Blaster. Some systems may have been counted more than once, as the figures were based on the number of submissions of the worm received. Creator Although the creator of the original Blaster worm is unknown, Jeffrey Lee Parson for creating the B variant of the worm. He was convicted and sentenced to 18 months in prison. Another variant that came from Romania in September of 2003 was confined to the intranet of a Romanian university. Dan Dumitru Ciobanu, the creator faces 15 years in prison if convicted of "unlawful possession of a program and disturbing a computer system". Other Facts The worm contains text that is never displayed: "I just want to say LOVE YOU SAN!! billy gates why do you make this possible ? Stop making money and fix your software!!" Sources John Leyden. The Register, "Blaster rewrites Windows worm rules", 2003.08.14 John Leyden. The Register, "Blaster Body Count '8m or Above". 2004.04.05 Ellen Messmer. PCWorld, "Blaster Worm Racks Up Victims". 2003.08.15 Wikipedia, "Blaster (computer worm)" Douglas Knowles, Frederic Perriot, Peter Szor. Symantec.com, W32.Blaster.Worm Brian E. Burke, Charles J. Kolodgy, Christian A. Christiansen. IDC, "MARKET ANALYSIS Worldwide Security Software 2004–2008 Forecast: April 2004 Forecast" Andy McCue. Silicon.com, "MSBlast virus writer faces 15 years behind bars". 2004.01.19 Category:Worm Category:Internet worm Category:MSWindows Category:MSWindows worm Category:C (programming language) Category:Hundred million dollar damage Category:High profile damage Category:DoS attacker Category:Malicious